Does TRUNCATE specify the ultimate size of an even...

danielbb · ‎02-19-2020

We are not clear whether setting TRUNCATE to a certain value guarantees that the event won't exceed this size in bytes. If not, can we specify the maximum length of an event somewhere?

manjunathmeti · ‎02-19-2020

Splunk truncates events in bytes, from Splunk documentation on props.conf:

TRUNCATE = <non-negative integer>
* The default maximum line length, in bytes.
* Although this is in bytes, line length is rounded down when this would
  otherwise land mid-character for multi-byte characters.
* Set to 0 if you never want truncation (very long lines are, however, often
  a sign of garbage data).
* Default: 10000

danielbb · ‎02-19-2020

Ok, according to this documentation, TRUNCATE specifies the length of a line. Then we can merge lines, right? I wonder if or where we can specify the max length of an event?

Beacuae I run -

index=<index name>
| eval len = len(_raw)
| stats max(len)

And it returns 3,461,805. I would like to have a concrete limit for the length of an event.

manjunathmeti · ‎02-19-2020

You can try applying regex to truncate the _raw field. Below regex gets first 3000 characters.

props.conf:

[sourcetype]
TRUNCATE = 10000
TRANSFORMS-truncate_raw = truncate_raw

transforms.conf

[truncate_raw]
SOURCE_KEY  = _raw
REGEX = ^.{0,3000}
DEST_KEY = _raw
FORMAT = $1

danielbb · ‎02-20-2020

Nice @manjunathmeti - are there any combinations where TRUNCATE does specify the length of the event?

danielbb · ‎02-27-2020

We are fine with TRUNCATE for the max line's length and MAX_EVENTS for max number of lines.

Does TRUNCATE specify the ultimate size of an event?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms